Version in base suite: 4.96-15+deb12u7
Version in overlay suite: 4.96-15+deb12u8

Base version: exim4_4.96-15+deb12u8
Target version: exim4_4.96-15+deb12u9
Base file: /srv/ftp-master.debian.org/ftp/pool/main/e/exim4/exim4_4.96-15+deb12u8.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/e/exim4/exim4_4.96-15+deb12u9.dsc

 changelog                                                             |    7 
 patches/83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch |  161 ++++++++++
 patches/series                                                        |    1 
 3 files changed, 169 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp467ag9ff/exim4_4.96-15+deb12u8.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp467ag9ff/exim4_4.96-15+deb12u9.dsc: no acceptable signature found
diff -Nru exim4-4.96/debian/changelog exim4-4.96/debian/changelog
--- exim4-4.96/debian/changelog	2026-05-02 09:33:47.000000000 +0000
+++ exim4-4.96/debian/changelog	2026-05-11 17:12:18.000000000 +0000
@@ -1,3 +1,10 @@
+exim4 (4.96-15+deb12u9) bookworm-security; urgency=high
+
+  * Backport fix for Use-After-Free in GnuTLS BDAT/CHUNKING code path.
+    This is Exim-Security-2026-05-01.1, fixed upstream in 4.99.3.
+
+ -- Andreas Metzler <ametzler@debian.org>  Mon, 11 May 2026 19:12:18 +0200
+
 exim4 (4.96-15+deb12u8) bookworm; urgency=medium
 
   * Fix GnuTLS hostname verify of a server certificate with a zero-length
diff -Nru exim4-4.96/debian/patches/83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch exim4-4.96/debian/patches/83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch
--- exim4-4.96/debian/patches/83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch	1970-01-01 00:00:00.000000000 +0000
+++ exim4-4.96/debian/patches/83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch	2026-05-11 17:01:08.000000000 +0000
@@ -0,0 +1,161 @@
+From 040c1ce6889f435206677ed532c9a4185cf0bcaf Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sat, 2 May 2026 18:52:10 +0100
+Subject: [PATCH] TLS: on rxd close with CHUNKING active, clean the input
+ processing stack (closes #39, EXIM-Security-2026-05-01.1)
+
+(cherry picked from commit f7387b3ba8944791d6ed8a3e4bf8f6f4239c74d1)
+---
+ doc/ChangeLog            | 13 +++++++
+ src/functions.h              |  1 +
+ src/smtp_in.c                | 50 +++++++++++++++++++-----
+ src/tls-gnu.c                |  6 +--
+ src/tls-openssl.c            |  2 +-
+ test/log/1114                    |  1 +
+ test/scripts/1100-Basic-TLS/1114 | 40 +++++++++++++++++++-
+ test/stdout/1114                 | 65 ++++++++++++++++++++++++++++++++
+ 8 files changed, 163 insertions(+), 15 deletions(-)
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -137,10 +137,14 @@ JH/07 Bug 3106: Fix coding in SPA authen
+ 
+ JH/36 CVE-2026-40687: The spa authenticator used an unitialized buffer, which
+       could result in a leak of data. It also had potential for wrting past the
+       end of static buffers, by choice of data provided by the client.
+ 
++JH/01 GnuTLS: when a TLS close alert was received with CHUNKING still active
++      a one-byte write into a freed buffer was possible.  Fix by reinstating
++      the plaintext input handlers on TLS close while maintaining the bdat
++      handlers.
+ 
+ Exim version 4.96
+ -----------------
+ 
+ JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
+--- a/src/functions.h
++++ b/src/functions.h
+@@ -54,10 +54,11 @@ extern void    tls_clean_env(void);
+ extern BOOL    tls_client_start(client_conn_ctx *, smtp_connect_args *,
+ 		  void *, tls_support *, uschar **);
+ extern void    tls_client_creds_reload(BOOL);
+ 
+ extern void    tls_close(void *, int);
++extern void    tls_close_notify(void);
+ extern BOOL    tls_could_getc(void);
+ extern void    tls_daemon_init(void);
+ extern int     tls_daemon_tick(void);
+ extern BOOL    tls_dropprivs_validate_require_cipher(BOOL);
+ extern BOOL    tls_export_cert(uschar *, size_t, void *);
+--- a/src/smtp_in.c
++++ b/src/smtp_in.c
+@@ -654,10 +654,22 @@ return wouldblock_reading();
+ 
+ 
+ /******************************************************************************/
+ /* Variants of the smtp_* input handling functions for use in CHUNKING mode */
+ 
++static inline void
++smtp_rcv_cleartext(void)
++{
++receive_getc = smtp_getc;
++receive_getbuf = smtp_getbuf;
++receive_get_cache = smtp_get_cache;
++receive_hasc = smtp_hasc;
++receive_ungetc = smtp_ungetc;
++receive_feof = smtp_feof;
++receive_ferror = smtp_ferror;
++}
++
+ /* Forward declarations */
+ static inline void bdat_push_receive_functions(void);
+ static inline void bdat_pop_receive_functions(void);
+ 
+ 
+@@ -896,10 +908,36 @@ bdat_push_receive_functions();  /* we're
+ return lwr_receive_ungetc(ch);
+ }
+ 
+ 
+ 
++#ifndef DISABLE_TLS
++/* The TLS layer has received a Close notification alert, meaning no
++more encrypted data will be received.
++
++To preserve layering of the receive processing if a BDAT chunk is still
++in progress, pop the bdat layer, reset to plaintext processing then
++re-push the bdat layer.
++Then close our writing side of the TLS channel.
++
++Any chunk in progress will likely error out anyway; let the existing
++processing handle it.
++*/
++
++void
++tls_close_notify(void)
++{
++if (chunking_state > CHUNKING_OFFERED)
++  {
++  bdat_pop_receive_functions();
++  smtp_rcv_cleartext();
++  bdat_push_receive_functions();
++  }
++tls_close(NULL, TLS_NO_SHUTDOWN);
++}
++#endif
++
+ /******************************************************************************/
+ 
+ /*************************************************
+ *     Write formatted string to SMTP channel     *
+ *************************************************/
+@@ -2592,17 +2630,12 @@ else
+ /* Set up the buffer for inputting using direct read() calls, and arrange to
+ call the local functions instead of the standard C ones. */
+ 
+ smtp_buf_init();
+ 
+-receive_getc = smtp_getc;
+-receive_getbuf = smtp_getbuf;
+-receive_get_cache = smtp_get_cache;
+-receive_hasc = smtp_hasc;
+-receive_ungetc = smtp_ungetc;
+-receive_feof = smtp_feof;
+-receive_ferror = smtp_ferror;
++smtp_rcv_cleartext();
++
+ lwr_receive_getc = NULL;
+ lwr_receive_getbuf = NULL;
+ lwr_receive_hasc = NULL;
+ lwr_receive_ungetc = NULL;
+ 
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -3852,11 +3852,11 @@ if (sigalrm_seen)
+   }
+ 
+ else if (inbytes == 0)
+   {
+   DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
+-  tls_close(NULL, TLS_NO_SHUTDOWN);
++  tls_close_notify();
+   return FALSE;
+   }
+ 
+ /* Handle genuine errors */
+ 
+--- a/src/tls-openssl.c
++++ b/src/tls-openssl.c
+@@ -4239,11 +4239,11 @@ switch(error)
+     DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
+ 
+     if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
+ 	  SSL_shutdown(ssl);
+ 
+-    tls_close(NULL, TLS_NO_SHUTDOWN);
++    tls_close_notify();
+     return FALSE;
+ 
+   /* Handle genuine errors */
+   case SSL_ERROR_SSL:
+     ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
diff -Nru exim4-4.96/debian/patches/series exim4-4.96/debian/patches/series
--- exim4-4.96/debian/patches/series	2026-05-02 09:33:28.000000000 +0000
+++ exim4-4.96/debian/patches/series	2026-05-11 17:01:08.000000000 +0000
@@ -61,4 +61,5 @@
 82_04-Expansions-harden-for-malformed-UTF-8.patch
 82_05-Fix-SPA-authenticator.-Bug-3106.patch
 82_06-SPA-authenticator-harden-buffer-usage.patch
+83_TLS-on-rxd-close-with-CHUNKING-active-clean-the-inpu.patch
 90_localscan_dlopen.dpatch